A false positive CVE list is an issue elsewhere as well, and it's important to understand that there's not much a Docker Postgres maintainer can do if the problem lies in the Debian or Ubuntu package and isn't getting fixed for some reason.
https://github.com/docker-library/faq#why-does-my-security-s...
It's also advisable not to use the default settings:
https://pythonspeed.com/articles/docker-security-scanner/ "trivy --ignore-unfixed <image>"
Of course, it is advisable for the image maintainer to rebuild the Docker image weekly or bi-weekly to ensure all recent patches are included.
However, for those who prioritize security, it is best to build the image themselves to guarantee up-to-date packages.
CVE-2005-2541 is documented & required behavior for the tar archive: https://marc.info/?l=bugtraq&m=112360016019030&w=2 . Infuriating that the CVE was seen as valid enough to get a number.
